From

Thank you

Sorry

Simplifying large scale network environments is a complex task but one that a number of researchers and vendors are trying to undertake. This week researchers from Google, Nicira Networks and NEC under the guise of the International Computer Science Institute (ICSI) at UC Berkeley will present a research project at this week's USENIX Symposium on Operating Systems Design and Implementation they are working on that they say will simplify network control and management implementations.

"In recent years, as new control requirements have arisen such as increased security and the migration of lots of virtual machines, the inadequacies of our current network control mechanisms have become especially problematic, the researchers state," the researchers stated. To address some of these issues the researchers have developed a distributed management system known as Onix.

Onix software runs on a cluster of one or more servers, each of which may run multiple Onix instances, researchers said. At its heart is the Onix Network Information Base (NIB) which contains all the elements of a particular networked environment.

"As the control platform, Onix is responsible for giving the control logic programmatic access to the network . In order to scale to very large networks and to provide the requisite resilience for production deployments, an Onix instance is also responsible for disseminating network state to other instances within the cluster," the researchers state in their research paper on Onix.

"Onix consists of roughly 150,000 lines of C++ and integrates a number of third party libraries. At its simplest, Onix is a harness which contains logic for communicating with the network elements, aggregating that information into the NIB, and providing a framework in which application programmers can write a management application," the researchers state.

According to their paper researchers have developed a few Onix applications including:

A network management application the group said is similar to Ethane to enforce network security policies. Ethane maintains simple-to-define access policies in one place, and helps implement them consistently across a network. According to the researchers using a Flow-based Management Language network administrators can declare security policies in a centralized fashion using high-level names instead of network-level addresses and identifiers. The application processes the first packet of every flow obtained from the first hop switch: it tracks hosts' current locations, applies the security policies, and if the flow is approved, sets up the forwarding state for the flow through the network to the destination host.

In virtualized enterprise network environments, the network edge consists of virtual, software-based L2 switch appliances within hypervisors instead of physical network switches. It is not uncommon for virtual deployments (especially in cloud-hosting providers) to consist of tens of VMs per server, and to have hundreds, thousands or tens of thousands of VMs in total. To cope with such environments, the concept of a distributed virtual switch (DVS) has come in to play. A DVS roughly operates as follows. It provides a logical switch abstraction over which policies are declared over the logical switch ports. A single Onix instance then handles all the hypervisors of a single pool. All the switch configuration state is persisted to the transactional database, whereas all VM locations are not shared between Onix instances. If an Onix instance goes down, the network can still operate. However, VM dynamics will no longer be allowed.

An application that allows the creation of tenant-specific L2 networks. These networks provide a standard Ethernet service model and can be configured independently of each other and can span physical network subnets. The control logic isolates tenant networks by encapsulating tenants' packets at the edge, before they enter the physical network, and decapsulating them when they either enter another hypervisor or are released to the Internet. For each tenant virtual network, the control logic establishes tunnels pair-wise between all the hypervisors running virtual machines attached to the tenant virtual network.

"Onix does not, by itself, solve all the problems of network management. The designers of management applications still have to understand the scalability implications of their design. Onix provides general tools for managing state, but it does not magically make problems of scale and consistency disappear. We are still learning how to build control logic on the Onix API, but in the examples we have encountered so far management applications are far easier to build with Onix than without it," the researchers concluded.

Cooney is an Online News Editor and the author of the Layer 8 blog, Network World's daily home for the not-just-networking news. He has been working with Network World since 1992. You can reach him at mcooney@nww.com.